WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] [PATCH][acm] Cleanup and support for policy decision command

from [Reiner Sailer] [Permanent Link][Original]
To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [PATCH][acm] Cleanup and support for policy decision command
From: Reiner Sailer <sailer@xxxxxxxxxx>
Date: Thu, 20 Oct 2005 14:15:23 -0400
Delivery-date: Thu, 20 Oct 2005 18:12:44 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Sensitivity:

This patch to the Xen access control module (ACM) and tools:

  1. adapts ACM hooks to the slightly changed event channel structure
  2. introduces an ACM_GETDECISION command, which enables authorized domains to retrieve policy decisions regarding the sharing of resources (STE policy) from the Xen hypervisor
  3. includes cleanup (warnings I found when applying  analysis tools such as beam or flawfinder to the ACM code)

 The get_decision function is useful to enforce:
   *  the security policy on network traffic  in the network backends in domain 0; currently there is no enforcement in Dom0 and all packets flow freely
   *  the security policy in block device backends to control which domains can access which vdisk resources

I have added a small test program that shows how to use the get_decision ACM interface call, it is in tools/security/get_decision.c and will be compiled together with the policy tools. As usual, the ACM is unconfigured until you switch on a security policy on in Config.mk.

Regards
Reiner

Signed-off: Reiner Sailer <sailer@xxxxxxxxxx>

__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer@xxxxxxxxxx  
http://www.research.ibm.com/people/s/sailer/

Attachment: acm_get_decision.diff
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [PATCH][acm] Cleanup and support for policy decision command, Reiner Sailer <=
Previous by Date:  [Xen-devel] XenMon Patch, Rob Gardner
Next by Date:  [Xen-devel] Daily Xen Builds, David F Barrera
Previous by Thread:  [Xen-devel] XenMon Patch, Rob Gardner
Next by Thread:  [Xen-devel] [PATCH] fix bugzilla 89 x86_64 linux won't boot on hardware with sata drives, Mike D. Day
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy